Professional Documents
Culture Documents
Digsig Transactions PDF
Digsig Transactions PDF
About Entrust
Entrust, Inc. [Nasdaq: ENTU] is a world leader in securing digital identities and
information, enabling businesses and governments to transform the way they
conduct online transactions and manage relationships with customers, partners
and employees. Entrust's solutions promote a proactive approach to security that
provides accountability and privacy to online transactions and information. Over
1,200 enterprises and government agencies in more than 50 countries use Entrust's
portfolio of security software solutions that integrate into the broad range of
applications organizations use today to leverage the Internet and enterprise
networks. For more information, please visit www.entrust.com.
Digital Signatures and e-Business
New business opportunities have emerged legislation on privacy and digital signatures,
as paper-based transaction systems are as well as industry-specific regulations for
moved online. Yet the road to an economy selected broad verticals. Examples of such
where the vast majority of transactions are legislation in the United States alone
electronic is not without concerns. These include the Electronic Signatures in Global
include knowing whom you are dealing and National Commerce Act (e-Sign), the
with (identification), who is authorized to Uniform Electronic Transactions Act (UETA),
access what information (entitlements), the Health Insurance Portability and
and how individuals will be held Accountability Act (HIPAA), Gramm-Leach-
accountable for their online commitments Bliley (GLB) Financial Services Act and the
(digital accountability). Government Paperwork Elimination Act
(GPEA). These types of regulations and
Digital signatures powered by public-key legislation have created not only
infrastructure (PKI) technology, are widely compliance challenges, but also
recognized as best practice for ensuring opportunities for competitive advantage
digital accountability for electronic over slower-moving rivals.
transactions. Digital signatures are the
most effective, secure, and easy-to- The broad adoption of digital signatures
implement method of providing built on PKI foundations is now generally
accountability while enabling electronic acknowledged. The infrastructure build-
transactions. This paper will help readers out is currently underway, and the scale is
develop a better understanding of what enormous - for example, the U.S.
digital signatures are, their role as an Department of Defense has requested
enabling tool in e-business, and how they $700 million in funding from fiscal year
can be used to advantage in light of recent 2000 through 2005 solely for PKI
legislative changes. development [Information Security -
Advances and Remaining Challenges to
Digital signatures deliver e-business Adoption of Public Key Infrastructure
advantage Technology, GAO, February 2001].
Aside from enabling new business processes, Digital signatures were first conceived of in
moving existing transaction systems online 1976. Now 25 years later, wide-scale
offers compelling advantages. These include acceptance of PKI-based enhanced
dramatic gains in: security solutions includes
• efficiency legislative support, with essentially all
• lower costs modern economies having existing or
• stronger partner/customer relationships pending legislation giving digital signatures
• personalization legal recognition. Leading organizations
• tighter integration of supply chains using digital signatures have raised global
awareness of their vast potential.
Rather than visiting a Web site, filling out
an application form, then printing, signing, Paper signatures
and sending a paper copy by courier or fax,
the use of digital signatures allows the final We are all familiar with paper signatures,
step in an otherwise online process to by which we mean handwritten signatures
be automated. The fundamental on paper documents. Aside from legal and
technology that enables security and contractual issues, the primary
characteristics of a paper signature are:
accountability for electronic transactions is
the digital signature.
1. it is intended to be associated with a
particular individual; and
In today's business environment, 2. it generally denotes a commitment
organizations must be aware of security related to a particular document, with
and privacy issues, including regulatory the exact meaning depending on
issues such as national and international context.
3
Though far from perfect, paper signatures and all available evidence beyond a
serve surprisingly well in many parts of the physical signature itself.
world as the basis for business and legal
transactions. This is due not to the In summary, societies have learned to use
inherent features of paper signatures, but paper signatures in circumstances in which
rather to accompanying processes, a physical marking on a paper document,
supplemental contracts, and the overall augmented by sufficient controls and
context surrounding acts of signing. context, provides sufficient recallable
Various customs of witnessing, public evidence of a commitment related to that
ceremony, and evidence have emerged document by the marking party. The
over time, in large part aimed at increasing evidence is important in order to
the chances of accurately reconstructing reconstruct circumstances, in the rare case
events should a dispute arise later. of later disputes.
Verify
Original Signature
Message
(plain text) Originator’s
Public Key
Originator’s
Private Key Yes (valid signature) or
No (invalid signature)
It is also important to note that simply EDI systems automated the purchase of
obtaining the consent of a user - for example goods through the electronic exchange of
by having the user click on an "I accept" information such as purchase order requests,
button - does not provide tangible evidence, quotes, acknowledgements, and invoices.
at a later point in time, that such consent was They were set up to allow automated
actually obtained. An online brokerage would processing of standardized messages. Trading
be hard-pressed to prove to an arbiter, at a partners reached common technical
later point in time, that the button was understandings as to how exchanged
located in an appropriate place, in an messages should be interpreted.
appropriate overall context, six months after a Nonetheless, because there remained a legal
disputed customer transaction took place. requirement of a "signed writing", it was
Indeed, recreating the environment of a past unclear how a court would interpret an EDI
user transaction is extremely challenging, as message exchange should a dispute arise. To
the design of Web sites and online forms reduce uncertainty regarding possible legal
changes frequently. This highlights the interpretations, EDI trading partner
difference between obtaining user consent, agreements were created. These were signed
and recording evidence that such consent was traditional contracts specifying rules for how
obtained. While passwords are in common exchanged messages should be interpreted,
use for identification and entitling access and the legal significance the parties intended
to accounts, passwords alone are of little help these to have. The contracts would be
in generating evidence generation such as available to a court should any disputes arise,
easily verifiable digital receipts, that is, for example with respect to fraud. The
reliable electronic transaction records expectation was that a court would respect
replacing paper receipts. Best practice for the desired interpretations as set out in the
securing digital receipts is through digital contract.
signatures.
The volume of EDI transactions over the past
Digital signatures, when appropriately 20 years has been huge. Interestingly, few or
implemented in accordance with standard no reported cases of EDI trading partner
practice, provide more security than paper disputes are known. While a single reason for
signatures or any form of electronic signature. this is difficult to establish, the use of
They are the only known means for reliably contracts to remove uncertainty and clarify
binding a signature to electronic data in a expectations appears to work very well.
manner that is both secure and easily Consequently, the use of contractual
verifiable - a property that is absolutely agreements offers an attractive solution for
fundamental to e-business. They also offer any similar concerns in particular transaction
the ideal means for guaranteeing the integrity systems intending to use digital signatures.
of audit trails and online storage. As a result,
digital signatures are equated with best Open vs. self-governed systems, and
practice for digital verification. the relevance of digital signature
legislation
Contractual agreements vs.
legislation-based business transaction Business transaction systems can be divided
systems into open systems and self-governed systems.
In open systems, such as most cash-based
Although E-Sign and related legislation retail sales, the rules of operation exist
provide an important framework for digital without special negotiation or membership.
signatures, some degree of uncertainty is For example, in many countries rules
inevitable regarding a court's interpretation of governing the sale of goods include consumer
8
protection legislation. Open systems provide Entrust provides leadership with
ground rules and a degree of comfort that is digital signature solutions
generally welcome in the case of strangers
doing business with strangers. Entrust has unique expertise and a long
history of helping organizations integrate
Self-governed systems, in contrast, are based digital signatures into their business operation
on some form of membership or semi-closed across a broad range of applications including
community. A relationship is formed based on e-mail, Web-based applications, electronic
voluntary agreements, often bilateral. Parties forms, and customer applications. Global
then transact business based on this 2000 organizations have been using Entrust
relationship. The agreements may include technology to power digital signatures since
allocation of risks between the parties, the 1994.
definition of rights and obligations, and terms
regarding how disputes should be resolved. Proven expertise and enhanced
By this means, any uncertainties as to how a security solutions from Entrust,
court might interpret existing laws may be combined with partner solutions,
reduced, as in the case of EDI trading partner can help you meet the best-practice
agreements. security and privacy expectations of your
employees, customers, partners, and
Electronic signature legislation has the suppliers. We can also help you interpret the
greatest impact on open systems. However, national and international regulatory
the majority of commercial electronic compliance requirements of existing and
transaction systems can be realized as self- emerging privacy and digital signature
governed systems, including intra-business, legislation.
business-to-business (B2B), and e-commerce
transaction systems in general. For more information on digital signatures,
visit the Entrust Resource Center at
Enabling legislation and compliance http://www.entrust.com/digitalsig/index.htm
issues related to digital signatures and
privacy Entrust®, Inc. (Nasdaq: ENTU) is
a leading global provider of enhanced
Digital signatures enable business innovation Internet security solutions and services that
by allowing paper processes to be moved make it safe to do business and complete
online, while ensuring continued transactions over the Internet. Entrust has the
accountability. Legislation related to digital industry's broadest set of indentification,
signatures such as the Electronic Signatures in entitlements, verification, privacy and security
Global and National Commerce Act (E-Sign) management capabilities. More than 1,200
and the Uniform Electronic Transactions Act major corporations, service providers, financial
(UETA) are important as they remove institutions and government agencies in more
uncertainties regarding legal interpretations of than 40 countries rely on the privacy, security
online transaction systems. Privacy legislation and trust provided through Entrust's portfolio
is closely related, as digital signatures play an of award-winning technologies. For more
important role in identification, information, visit www.entrust.com.
entitlements, and verification - all of these
being fundamental to online privacy.
Important sector-specific examples of
legislation include the Health Insurance
Portability and Accountability Act (HIPAA)
and the Gramm-Leach-Bliley (GLB) Financial
Services Act.